|
| 1 | +SCTP SELinux Support |
| 2 | +===================== |
| 3 | + |
| 4 | +Security Hooks |
| 5 | +=============== |
| 6 | + |
| 7 | +``Documentation/security/LSM-sctp.rst`` describes the following SCTP security |
| 8 | +hooks with the SELinux specifics expanded below:: |
| 9 | + |
| 10 | + security_sctp_assoc_request() |
| 11 | + security_sctp_bind_connect() |
| 12 | + security_sctp_sk_clone() |
| 13 | + security_inet_conn_established() |
| 14 | + |
| 15 | + |
| 16 | +security_sctp_assoc_request() |
| 17 | +----------------------------- |
| 18 | +Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the |
| 19 | +security module. Returns 0 on success, error on failure. |
| 20 | +:: |
| 21 | + |
| 22 | + @ep - pointer to sctp endpoint structure. |
| 23 | + @skb - pointer to skbuff of association packet. |
| 24 | + |
| 25 | +The security module performs the following operations: |
| 26 | + IF this is the first association on ``@ep->base.sk``, then set the peer |
| 27 | + sid to that in ``@skb``. This will ensure there is only one peer sid |
| 28 | + assigned to ``@ep->base.sk`` that may support multiple associations. |
| 29 | + |
| 30 | + ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid`` |
| 31 | + to determine whether the association should be allowed or denied. |
| 32 | + |
| 33 | + Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with |
| 34 | + MLS portion taken from ``@skb peer sid``. This will be used by SCTP |
| 35 | + TCP style sockets and peeled off connections as they cause a new socket |
| 36 | + to be generated. |
| 37 | + |
| 38 | + If IP security options are configured (CIPSO/CALIPSO), then the ip |
| 39 | + options are set on the socket. |
| 40 | + |
| 41 | + |
| 42 | +security_sctp_bind_connect() |
| 43 | +----------------------------- |
| 44 | +Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` |
| 45 | +as follows:: |
| 46 | + |
| 47 | + ------------------------------------------------------------------ |
| 48 | + | BIND Permission Checks | |
| 49 | + | @optname | @address contains | |
| 50 | + |----------------------------|-----------------------------------| |
| 51 | + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | |
| 52 | + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
| 53 | + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
| 54 | + ------------------------------------------------------------------ |
| 55 | + |
| 56 | + ------------------------------------------------------------------ |
| 57 | + | CONNECT Permission Checks | |
| 58 | + | @optname | @address contains | |
| 59 | + |----------------------------|-----------------------------------| |
| 60 | + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | |
| 61 | + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | |
| 62 | + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | |
| 63 | + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | |
| 64 | + ------------------------------------------------------------------ |
| 65 | + |
| 66 | + |
| 67 | +``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname`` |
| 68 | +entries and also describes ASCONF chunk processing when Dynamic Address |
| 69 | +Reconfiguration is enabled. |
| 70 | + |
| 71 | + |
| 72 | +security_sctp_sk_clone() |
| 73 | +------------------------- |
| 74 | +Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style |
| 75 | +socket) or when a socket is 'peeled off' e.g userspace calls |
| 76 | +**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new |
| 77 | +sockets sid and peer sid to that contained in the ``@ep sid`` and |
| 78 | +``@ep peer sid`` respectively. |
| 79 | +:: |
| 80 | + |
| 81 | + @ep - pointer to current sctp endpoint structure. |
| 82 | + @sk - pointer to current sock structure. |
| 83 | + @sk - pointer to new sock structure. |
| 84 | + |
| 85 | + |
| 86 | +security_inet_conn_established() |
| 87 | +--------------------------------- |
| 88 | +Called when a COOKIE ACK is received where it sets the connection's peer sid |
| 89 | +to that in ``@skb``:: |
| 90 | + |
| 91 | + @sk - pointer to sock structure. |
| 92 | + @skb - pointer to skbuff of the COOKIE ACK packet. |
| 93 | + |
| 94 | + |
| 95 | +Policy Statements |
| 96 | +================== |
| 97 | +The following class and permissions to support SCTP are available within the |
| 98 | +kernel:: |
| 99 | + |
| 100 | + class sctp_socket inherits socket { node_bind } |
| 101 | + |
| 102 | +whenever the following policy capability is enabled:: |
| 103 | + |
| 104 | + policycap extended_socket_class; |
| 105 | + |
| 106 | +SELinux SCTP support adds the ``name_connect`` permission for connecting |
| 107 | +to a specific port type and the ``association`` permission that is explained |
| 108 | +in the section below. |
| 109 | + |
| 110 | +If userspace tools have been updated, SCTP will support the ``portcon`` |
| 111 | +statement as shown in the following example:: |
| 112 | + |
| 113 | + portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0 |
| 114 | + |
| 115 | + |
| 116 | +SCTP Peer Labeling |
| 117 | +=================== |
| 118 | +An SCTP socket will only have one peer label assigned to it. This will be |
| 119 | +assigned during the establishment of the first association. Once the peer |
| 120 | +label has been assigned, any new associations will have the ``association`` |
| 121 | +permission validated by checking the socket peer sid against the received |
| 122 | +packets peer sid to determine whether the association should be allowed or |
| 123 | +denied. |
| 124 | + |
| 125 | +NOTES: |
| 126 | + 1) If peer labeling is not enabled, then the peer context will always be |
| 127 | + ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy). |
| 128 | + |
| 129 | + 2) As SCTP can support more than one transport address per endpoint |
| 130 | + (multi-homing) on a single socket, it is possible to configure policy |
| 131 | + and NetLabel to provide different peer labels for each of these. As the |
| 132 | + socket peer label is determined by the first associations transport |
| 133 | + address, it is recommended that all peer labels are consistent. |
| 134 | + |
| 135 | + 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer |
| 136 | + context. |
| 137 | + |
| 138 | + 4) While not SCTP specific, be aware when using NetLabel that if a label |
| 139 | + is assigned to a specific interface, and that interface 'goes down', |
| 140 | + then the NetLabel service will remove the entry. Therefore ensure that |
| 141 | + the network startup scripts call **netlabelctl**\(8) to set the required |
| 142 | + label (see **netlabel-config**\(8) helper script for details). |
| 143 | + |
| 144 | + 5) The NetLabel SCTP peer labeling rules apply as discussed in the following |
| 145 | + set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t. |
| 146 | + |
| 147 | + 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` |
| 148 | + CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)`` |
| 149 | + |
| 150 | + Note the following when testing CIPSO/CALIPSO: |
| 151 | + a) CIPSO will send an ICMP packet if an SCTP packet cannot be |
| 152 | + delivered because of an invalid label. |
| 153 | + b) CALIPSO does not send an ICMP packet, just silently discards it. |
| 154 | + |
| 155 | + 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been |
| 156 | + implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), |
| 157 | + although the kernel supports SCTP/IPSEC. |
0 commit comments